
Reports reveal Apple’s Hide My Email bug lets attackers unmask users’ real email addresses
A newly reported bug in Hide My Email, Apple's paid iCloud+ feature, appears to allow users’ real email addresses to be exposed behind the disposable aliases meant to protect them. While the exact method has not been disclosed to prevent exploitation, the flaw reportedly lets someone connect a Hide My Email address back to the real inbox it forwards to, weakening the core privacy purpose of the feature.
Security researcher Tyler Murphy first reported the issue to Apple in June 2025, and 404 Media says it later tested and verified the vulnerability. Murphy said every attempt to exploit the issue in his testing was successful, including volunteer trials where all tested Hide My Email addresses were reportedly exploitable. Apple told him in March 2026 that the issue had been addressed through a system change, but Murphy said the exploit still worked afterward. The company later said it was still investigating and expected to release a security update in the following weeks.
The report adds to recent criticism around yet another change to Hide My Email, after Apple announced that new aliases created with the feature would use a dedicated @private.icloud.com domain. Some users argued that this could make Hide My Email addresses easier for websites to detect or block, while also making it more obvious when someone is using Apple’s privacy feature to hide their real address. Eitherway, until Apple confirms a fix, users relying on Hide My Email to stay private should treat that anonymity as unreliable.

